AI Agent (MCP)
Built-in MCP server for connecting AI assistants to your network data.
Overview
Insights Plus includes a built-in Model Context Protocol (MCP) server that lets AI assistants query your logs, inspect threats, and manage firewall syslog settings. Supported clients include Claude Desktop, Claude Code, Gemini CLI, LLM Studio, and Open Web-UI.
Note: Web-based AI clients cannot reach local/private network instances. Use a desktop or CLI client instead.
Setup
- Navigate to Settings → MCP and enable the MCP server.
- Click Create Token and assign the scopes your agent needs.
- Copy the generated token - it is only shown once.
- Configure your AI client using one of the examples below.
Client Configuration
Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"insights-plus": {
"url": "http://<your-host>:8090/api/mcp/sse",
"headers": {
"Authorization": "Bearer <your-token>"
}
}
}
}Claude Code
$
claude mcp add insights-plus http://<your-host>:8090/api/mcp/sse -H "Authorization: Bearer <your-token>"Gemini CLI
$
gemini mcp add insights-plus --sse http://<your-host>:8090/api/mcp/sse -H "Authorization: Bearer <your-token>"Available Tools
| Tool | Scope | Description |
|---|---|---|
search_logs | logs.read | Query firewall, DNS, DHCP, Wi-Fi, and system logs with filters |
get_log | logs.read | Retrieve a single log entry by ID with full enrichment |
get_log_stats | logs.read | Aggregated counts and breakdowns for a time range |
get_top_threat_ips | logs.read | Ranked list of IPs by AbuseIPDB threat score |
list_threat_ips | logs.read | All IPs currently flagged as threats |
list_services | logs.read | Known services with port mappings |
export_logs_csv_url | logs.read | Generate a one-time CSV download URL for filtered logs |
list_firewall_policies | firewall.read | All firewall policies with syslog status |
set_firewall_syslog | firewall.syslog | Enable or disable syslog on a firewall policy (write) |
list_unifi_clients | unifi.read | Connected clients from UniFi controller |
list_unifi_devices | unifi.read | Network devices from UniFi controller |
get_unifi_status | unifi.read | UniFi integration connection status |
get_health | system.read | Container health, version, uptime, and database stats |
list_interfaces | system.read | Network interfaces seen in log data |
Permission Scopes
| Scope | Description |
|---|---|
logs.read | Search, retrieve, and export log data |
firewall.read | List firewall policies |
firewall.syslog | Toggle syslog on firewall policies |
unifi.read | Read UniFi clients, devices, and status |
system.read | Health checks and interface listings |
mcp.admin | Manage MCP tokens and settings |
Security
- Every request requires a valid Bearer token in the Authorization header.
- Tokens are stored as HMAC-SHA256 hashes - the plaintext is never persisted.
- The MCP server is only active when explicitly enabled in Settings.
set_firewall_syslogis the only write operation - all other tools are read-only.